1 / 15

Snort Lite

Snort Lite. Members Michael Attig (mea1@arl) Hardware Design / System Architecture Qian Wan (qw2@arl) Software Design Webpage http://www.arl.wustl.edu/arl/projects/fpx/snort_lite/. Motivation. Built up ability to do packet inspection Would like to add some form of packet-classification

dewey
Download Presentation

Snort Lite

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort Lite Members Michael Attig (mea1@arl) Hardware Design / System Architecture Qian Wan (qw2@arl) Software Design Webpage http://www.arl.wustl.edu/arl/projects/fpx/snort_lite/

  2. Motivation • Built up ability to do packet inspection • Would like to add some form of packet-classification • Combining these 2 features is a first step toward implementing Snort in hardware • Ideally reach line rates • Inspect all packets • Turn Snort active • Header Processing + Payload Processing

  3. Assumptions • Time constraints force several assumptions • Support Signature lengths from 10 to 32 characters long (80 to 256 bits) • 1 content-rule can be associated with only 1 header rule • Must have content and header rule • Content + Header = Rule • No content Wildcards (no regular expressions) • Wildcards are allowed in Header Fields • Recognize IP, TCP, UDP protocols

  4. Hardware Overview SID Packet Data Matching Rule

  5. Major Components Functionality • Options Processing • Payload Processing via Multiple Bloom Filters • 8 Hash Functions per BF • False Positive Probability 0.0039 • SDRAM Hash Table Implementation (Quadratic Probing) • Expected Number of Lookups = ? • Header Processing • SRAM table lookup • Header Fields Comparator

  6. Chip Utilization • Number of 4-input LUTs – 63% • Number of Occupied Slices – 88% • Number of Block RAMs – 123 of 160 – 76% • Speed – 34.7 MHz • (this number doesn’t reflect current design)!

  7. Control Opcodes • x70 – Add String to Hash Table • x72 – Remove String from Hash Table • x74 – Set Bits in a Bloom Filter • x76 – Add Header Table Entry • x78 – Remove Header Table Entry • x80 – Change Alert Message Destination • x82 – Read Header Table Entry • x84 – Read Statistics • x86 – Test Functionality / Pass Through

  8. Example Rule • alerttcp128.252.153.51/16 any 192.168.200.10 80(content: “Look at my Sample content!”; sid:750;) • Generic • actionprotosrc_ip src_portdest_ip dest_port(content: sid:)

  9. Java Rule Parser • Reads in a Rule File • Creates the payload for 3 control packets to program Circuit • x70 – add signature to analyzer • x74 – set bits in appropriate Bloom Filter • x76 – Add Header Entry • Tells you if a rule doesn’t match assumptions • Ignores other fields • Just extracts content and sid

  10. Data Flow Overview Add rules from web interface Output statistics to web page Save rules into database Construct rules to plain text Record matches in database Parse rules into payload Construct payload to UDP

  11. Updated Table definitions in DB snortlight BLOOMCNTR ------------------ BloomId INT ; BlockRAMId VARCHAR(10) ; BitPosition INT ; Counter INT ; RULEMATCH ------------------ PacketID INT ; RuleID INT ; // FK of RULES EventDT DATE; MATCHSTATIS // use 0 for false match -------------------- RuleID INT ; BloomID INT ; StartDT DATE; EndDT DATE; counter INT ; TABLES BLOOMFILTER --------------------- Id INT ; // identity(1, 1) BlockRAM1 INT ; // the ID of BlockRAM 1 BlockRAM2 INT ; // the ID of BlockRAM 2 BlockRAM3 INT ; // the ID of BlockRAM 3 BlockRAM4 INT ; // the ID of BlockRAM 4 BlockRAM5 INT ; // the ID of BlockRAM 5 RULES ---------- Id INT ; // identity(1, 1) BloomId INT ; // FK of BLOOMFILTER Content VARCHAR(100) ; // NOT NULL SourceIP VARCHAR(30) ; DestIP VARCHAR(30) ; SourcePort VARCHAR(20) ; DestPort VARCHAR(20) ; NoCase ENUM(“FALSE”, “TRUE”) ; // 0 false InHardware ENUM(“FALSE”, “TRUE”) ; // 0 false Action CHAR(5) ; // actions to take Protocol CHAR(5) ; // type of protocol InsertTime DATE; DeleteTime DATE; KeepLog ENUM(“FALSE”, “TRUE”) ; // 0 false

  12. Work completed during break- software • Resolved All Major Technical Challenges during first-use of PHP and MySQL • Reconfigured Apache and PHP for Java extension and tested using system classes • Tested File I/O from PHP and tested • Reconfigured PHP for socket extension and tested using Telnet to communicate to server • Modified Web Pages ( partial demo)

  13. Web Interface • Use Apache as web server, MySQL as database server all on Windows XP • HTML and PHP including its extensions to glue the system together

  14. Results - Software • Integration • Statistics for matches • Bloom Filter Counter • Software and hardware components • Sockets?

  15. Future Work • Redesign – too many assumptions • Allow Header-only and content-only rules • Implement more content-based features • TCP flags • IP options • More header fields • Multiple Signatures per content rule • Snort has many over-lapping rules • Software to dynamically recreate VHDL to change Number of PBFs per LBF based on number of strings for a particular length • Statistical Modeling would help determine this

More Related